-2

Here I have some php code which allows me to update User information in my students table.

I am trying to figure out how am I able to check if the password for the user that is currently logged in matches the password stored in the database before allowing information can be updated.

Bertrand Martel
  • 42,756
  • 16
  • 135
  • 159
uddinn noorr
  • 55
  • 5
  • 6
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Dec 13 '16 at 22:17
  • 2
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Dec 13 '16 at 22:17

2 Answers2

0

As the others say, your script has bunch of holes.

I assume you are developing for local area only.

if you host it at this stage, surely you will get security problems.

Alright, back to your question.

There are several ways to validate user before commit update.

For example:

  1. Put sql condition when updating the change

    if(isset($_POST['Update'])){
    $UpdateFName = $_POST['FirstName'];
    $UpdateLName = $_POST['LastName'];        
    $UpdateEmail = $_POST['Email'];
    $UpdateFPassword = $_POST['Password'];

    $SQL = $conn->query("UPDATE students 
    SET FName='{$UpdateFName}',LName='{$UpdateLName}',Email='{$UpdateEmail}',Password='{$UpdateFPassword}'
    WHERE UserID = $User and Password = '$_SESSION["PW"]' ");

header('Location:updateinfo.php');

    }

if you use this method, if the current password is different with password that stored in db, those edit sql won't run, since where condition is invalid

  1. validate the user first.

    if(isset($_POST['Update'])){
    $UpdateFName = $_POST['FirstName'];
    $UpdateLName = $_POST['LastName'];        
    $UpdateEmail = $_POST['Email'];
    $UpdateFPassword = $_POST['Password'];

    $sqlValidate = $conn->query("SELECT * FROM students WHERE UserID ='$User' and Password='$_SESSION["PW"]' ");
    $getUser = $sqlValidate -> fetch_array(MYSQLI_BOTH);

    if($getUser['UserID'] != ''){
        $SQL = $conn->query("UPDATE students SET FName='{$UpdateFName}', LName='{$UpdateLName}', Email='{$UpdateEmail}', Password ='{$UpdateFPassword}' WHERE UserID = $User  ");
    }// end if

header('Location:updateinfo.php');

    }

you can read http://php.net/manual/en/function.crypt.php for password encryption.

Windy
  • 25
  • 6
  • Yes this is only for demonstration purposes and not to be hosted live. Thank you for you're code however, i get these errors: unexpected '"', expecting identifier (T_STRING) or variable (T_VARIABLE) or number (T_NUM_STRING) After fixing this error, i get this parse error, syntax error, unexpected '$_SESSION' (T_VARIABLE) and i'm unsure what i've missed out. – uddinn noorr Dec 14 '16 at 12:13
  • it means that the season variable is missing, make sure that you declare the session varible for password above – Windy Dec 14 '16 at 22:01
0

your form basically has no validations. Also, there are opportunities for SQL injections. validate your email field before posting it. try:

if(!filter_var($email_variable,FILTER_VALIDATE_EMAIL){
//throw some kind of exceptions or kill the process
}

I also advise that you use PDO as it supports the use of prepared statements. There is an amazing function there can bindParam() which binds your parameters.

TRy:

$DBH = new PDO("mysql:host=localhost;dbname=test", 'root', '');
        $DBH->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
        $STH = $DBH->prepare("SELECT * FROM student_table WHERE studentID= :id");
        $id = 1; // here you should keep it as variable and pass it to param
        $STH->bindParam(':id', $id, PDO::PARAM_STR);
        $STH->execute();

        $STH->setFetchMode(PDO::FETCH_ASSOC);

Also, do not post raw passwords directly to your database. Either use the inbuilt php hashing algorithm or use some kind of encryption function to secure them.

Rotimi
  • 4,783
  • 4
  • 18
  • 27